IPSEC filter specs (why so screwy?)

V

Vincent Fatica

The Local Security Policy MMC snap-in allows me to create an IPSEC
filter with

Address: 210.0.0.0
Mask: 254.0.0.0

And it works, matching 210.*.*.* and 211.*.*.*.

But it won't let me create one with

Address: 60.0.0.0
Mask: 254.0.0.0

telling me the mask is invalid. What's going on?

Another question: Does it allow non-contiguous masks? These IP
addresses

81.52.250.0 - 81.52.250.127

are a collection of Akamai servers (some of which MS uses). When I
try to design a filter to target them, I use

Address: 81.52.250.0
Mask: 255.255.255.127

Again, I'm told "invalid mask". Am I supposed to make 127 different
filters? It would seem that IP matching via an address/mask
specification is a very simple thing. Why is IPSEC's implementation
of it so flaky?

I could find no rules for address/mask pairs. Has MS said anywhere
how to determine the validity of such a spec?

Any help ...? Thanks.
 
B

Boyd Benson [MS]

Hi Vince,

The IPsec Policy Managment snapin in Windows2000 does not fully support
supernetted addresses. If you would like to add supernetted address ranges
as you are specifying in your post, you will need to use the Windows2000
Resource Kit utility IPsecPol.EXE.

Also near the end of your post you mentioned a mask using .127. We can use
the following Subnet ID and mask to represent the range (81.52.250.0 -
81.52.250.127) that you've given:
Subnet ID: 81.52.250.0
Subnet Mask: 255.255.255.128

(To represent 81.52.250.128 - 81.52.250.254 we would use:
Subnet ID: 81.52.250.128
Subnet Mask: 255.255.255.128)

Thanks,
Boyd Benson
Microsoft Technical Support

--------------------
 
V

Vincent Fatica

The IPsec Policy Managment snapin in Windows2000 does not fully support
supernetted addresses. If you would like to add supernetted address ranges
as you are specifying in your post, you will need to use the Windows2000
Resource Kit utility IPsecPol.EXE.
Click to expand...

Thanks, Boyd. I am using XP. The one time I tried, that Windows 2000
utility would not run under XP. Is it possible to get that utility
working under XP?
Also near the end of your post you mentioned a mask using .127. We can use
the following Subnet ID and mask to represent the range (81.52.250.0 -
81.52.250.127) that you've given:
Subnet ID: 81.52.250.0
Subnet Mask: 255.255.255.128
Click to expand...

Yes, that seems to work correctly done with the XP MMC snap-in. So
please, what exactly is the mechanism for determining a match when the
following are specified:

FilterSpec, FilterMask, PacketIP

Is it

(FilterSpec & FilterMask) == (PacketIP & FilterMask)

If so, then I had it a little wrong. Even so, I still don't
understand why the XP/MMC snap-in allows

210.0.0.0 / 254.0.0.0

and does not allow

60.0.0.0 / 254.0.0.0 (invalid mask)

Is there another way to match 60.*.*.* and 61.*.*.* with a single
filter?

- Vince
 
B

Boyd Benson [MS]

Hi Vince,

IPsecPol.exe will only work on Windows2000.
IPsecCmd.exe must be used for command line policy configuration in
WindowsXP.

I do not know the details of the algorithm used for supernetted addresses
in the Snapin, but I do see the behavior you are stating and from previous
experience with IPsecPol.exe this is a limitation of the Snapin; we should
be able to use supernetted masks from the command line tools. (From a few
quick tests based on what you've told me, I see that it is possible to use
the 254.0.0.0 mask with some (very few) Subnet IDs.)

I would concentrate on using the command line tools for tasks involving
supernetted masks.

Thanks!
Boyd Benson
Microsoft Technical Support

--------------------
 
V

Vincent Fatica

(From a few
quick tests based on what you've told me, I see that it is possible to use
the 254.0.0.0 mask with some (very few) Subnet IDs.)

I would concentrate on using the command line tools for tasks involving
supernetted masks.
Click to expand...

My experience (first octet only) suggests that with the snap-in you
can use mask 254 if and only if the address spec'd is >=192 ... a bit
arbitrary, eh!.

With IPSECCMD.EXE, I can create a

60.0.0.0 / 254.0.0.0

filter. Later it shows up in the MMC plug-in correctly, but it
doesn't work (i.e., doesn't do anything).

A question about IPSECCMD: I notice that it doesn't respect the rule
names I created with the snap-in. For example, I have a collection of
filters comprising a rule called "Continents" which I made with the
snap-in. When I use IPSECCMD with "-r Continents", I get a new rule,
called "Continents{<CLSID>}" containing the new filter(s). How can I
get IPSECCMD to match **my** "Continents" rule? Thanks, Boyd.

- Vince
 
V

Vincent Fatica

I can only assume something's buggy. Forget about local policy and
the MMC snap-in. Using IPSECCMD.EXE ...

ipseccmd -f [210.0.0.0/254.0.0.0+0]

creates a **working** filter targeting 210.*.*.* and 211.*.*.*. Test
it with PING, you get "Destination host unreachable".

But try

ipsec -f [60.0.0.0/254.0.0.0+0]

(to match 60.*.*.* and 61.*.*.*). You get "Command completed
successfully", the filter is shown by "ipsec show filters", but **it
doesn't work** (at all).

- VInce
 
Top